I have the code above in DBaction3-3.php, it will be reached from http://dot.kr/x-test/todbAction3-3.php.The result of it is "select id from myTable1 where title='' instead of "select id from myTable1 where title='title1' "?

cranial_bore
—
2010-12-02T00:02:12Z —
#4

Firstly, you don't seem to have any SQL Injection prevention. Using user-submitted values directly in your queries is a big problem.It should look something like this:

Which sort of solves your second problem because referring to $title inside a string is a lot simpler than referring to $_POST['title'];

But, FYI if you ever do need to use an associative array value in a string you have these options:

/* no single quotes required around 'name'
because the string is wrapped in double quotes
and the variable will be parsed */
$myString = "Hello $_POST[name], how are you?";
/* single quotes required when using curly
brackets to isolate the variable */
$myString = "Hello {$_POST['name']}, how are you?";
/* concatenate */
$myString = 'Hello ' . $_POST['name'] . ', how are you?';

system
—
2010-12-02T00:03:34Z —
#5

dotJoon said:

The result of it is "select id from myTable1 where title='' instead of "select id from myTable1 where title='title1' "?

that means either $_post['$myVar'] is not set or = an empty string.

the next debugging step is to find where $_post['$myVar'] is actually assigned a value.

jotJoon you still have a dollar sign in front of $myVar near where you have highlighted POST in red. You even quoted my post where I said not to use $myVar Like Kalon and I said you need to remove that dollar sign. You're referring to an array key, not a variable.

dotJoon
—
2010-12-02T00:38:34Z —
#17

Kalon said:

I have to go shortly

See you later. have a good day/night.

dotJoon
—
2010-12-02T00:41:44Z —
#18

cranial_bore said:

Like Kalon and I said you need to remove that dollar sign. You're referring to an array key, not a variable.